Disable email / password change when two-step is required.

As we all know you can "Require two-step verification" under usergroup permissions.
They will see this message on the front page:

You must enable two-step verification to continue.
Two-step verification increases the security of your account by requiring you to provide an additional code to complete the login process. If your password is ever compromised, this verification will help prevent unauthorized access to your account.

Click to expand...

_

One small thing I noticed is the user can still change his password or email before enabling the two-step.

Everything else is closed off like the front page, inbox and all that but everything under /account/ is accessible.

I would really like to use this as a method of preventing accounts (without 2FA already enabled) from being stolen. But with just a login, the account can be taken over even if I've "required" 2FA on the user.

I know other sites don't have to deal with the same security issues I do.
I have always had a problem of people trying to steal accounts because established accounts hold much more value.

I will be requiring 2FA for everyone but I feel that disabling account settings until they actually enable it, would be great.

An old account who hadn't logged in since 2014 or so was recently compromised.
Due to the accounts previous good reputation the user was able to take advantage and scam another member for nearly $300 in bitcoin.

2factor was never completely set on his account because I only enabled it earlier this year and the user hadn't been online since.

The MALICIOUS user probably guessed a weak password or brute forced it somehow (I know serves them right for using a weak password).
The sad part is how easy it was to change the email address or password under the account when 2FA was REQUIRED. The user simply changed the email under the account and then enabled 2step to access the rest of the site.

"You must enable two-step verification to continue."
Yeah maybe to browse the website, but EVERY /account/ option is wide open before this has been set. I can change the email, password, and everything in between.

If the legitimate account owner is locked out or has an actual problem they can use the contact form. I am always happy to assist hundreds of members during the month.
_

I genuinely hope we can get some more updates to general security.

I know users should be using stronger passwords,
Due to the global nature of the site we have all kinds of idiots who like to throw money away without using a middleman or doing proper due diligence before trading.

My forum is on the front-lines here when it comes to security & accounts getting compromised. I have over 300k registered users from all around the world.
Please consider a few more roadblocks for thwarting these malicious users.

It's hard to fix stupid, I have forced sitewide password resets in the past, but people are lazy. I have to cater to the lazy folks one way or another.

If this carries on for much longer I will be forced to shut down the marketplace which will easily kill off my forum.

I'm not sure this would prevent the issue though, unless you only allow 2FA via email. If the user hasn't setup 2FA and I have their password, I'll just setup 2FA using the app (TOTP) method and then change emails, passwords, etc.

I'm not sure this would prevent the issue though, unless you only allow 2FA via email. If the user hasn't setup 2FA and I have their password, I'll just setup 2FA using the app (TOTP) method and then change emails, passwords, etc.

Click to expand...

Fair enough, I really do appreciate the reply.

There must be some more little roadblocks I could setup for these scenarios.

I'd guess that users are compromised via password reuse rather than brute force. Given enough time,access to resources and incentive, if compromised passwords are reused, the accounts will be compromised.

I think about the only thing you could do is turn on email-based 2FA for users. There's no interface to do this and I'm not aware of anyone that's done this, but the email method doesn't require the users to give you any more information (phone number, save a QR code, etc). I don't consider email confirmation to be a true 2FA, but assuming these users' emails weren't compromised too, then it would likely prevent these issues. You'd need to custom develop a tool for enabling this for users on their behalf and do a fair bit of testing on it.

Last but not least here is my sloppy workaround for anyone who ever finds themselves in a similar pickle.

Since there's no actual way to keep users out of their their settings aka the Contact Details page, I had to get a bit more creative.
(this will apply to all users in the NO_2FA_ENABLED usergroup (id 70 in this example - change this to whatever your actual usergroup id is)
_____________

EDIT TEMPLATE: account_contact_details

at the very top place: <xen:if is="!{xen:helper ismemberof, $visitor, 70}">
at the very bottom place: </xen:if>

The account/contact-details page will now be invisible to everyone in the NO_2FA_ENABLED usergroup.
They will no longer be able to change password or email until they have enabled 2FA.
_____________

Now as @Mike stated before, someone could simply gain access and use their phone to use that method of enabling 2factor and taking over the account.

EDIT TEMPLATE: two_step_totp

at the very top place: <xen:if is="!{xen:helper ismemberof, $visitor, 70}">
at the very bottom place: </xen:if>

The phone app verification method will no longer be possible to use for anyone in the NO_2FA_ENABLED usergroup.

_____________

Now we are able to rely strictly on the email address that is already under their account, thus preventing an extremely easy account takeover.

Don't forget to setup a Usergroup Promotion to get the right members into the NO_2FA_ENABLED usergroup.

Apply this promotion if:
User has not enabled two-step verification

______________

I have mentioned to people how simple it is to change the email / password when 2FA hasn't been enabled (but has been required)
and they are ALWAYS surprised.

This should hopefully thwart some malicious people out there who relied on this method for taking over an account and posing as a reputable member.

I will be back if issues arise but I think this will work quite nicely for now.

Forcing 2FA was never designed to prevent an account compromise before 2FA has been enabled. The purpose of blocking access to the forums is to push the (valid) user to enable it by blocking access to content.

As has already been mentioned, if an attacker has access to an account and knows the password, they can enable 2FA anyway. Your use case has led to you having to hide the TOTP method which is certainly not something we would do as it is the preferred 2FA method.

While I accept there may be an unexpected element here and I'm not necessarily against changing it, it's not something that provides additional security (unless you go about hacking out other bits).